Re: RBL Rules Question

Jeremy Fairbrass Fri, 03 Aug 2007 00:50:35 -0700

Try this (for replacing your the three meta rules):

meta            RCVD_IN_LRBL_W          (__RCVD_IN_LRBL_W && !__RCVD_IN_LRBL_B)
describe        RCVD_IN_LRBL_W          Local RBL Whitelist
tflags          RCVD_IN_LRBL_W          net
score           RCVD_IN_LRBL_W          -7


meta            RCVD_IN_LRBL_B          (__RCVD_IN_LRBL_B && !__RCVD_IN_LRBL_W)
describe        RCVD_IN_LRBL_B          Local RBL Blacklist
tflags          RCVD_IN_LRBL_B          net
score           RCVD_IN_LRBL_B          7

meta            RCVD_IN_LRBL_Y          (__RCVD_IN_LRBL_W && __RCVD_IN_LRBL_B)
describe        RCVD_IN_LRBL_Y          Local RBL Yellowlist
tflags          RCVD_IN_LRBL_Y          net
score           RCVD_IN_LRBL_Y          -3

Note: if you put an exclamation mark directly in front of a rule name (eg. 
!__RCVD_IN_LRBL_B) it means "if this rule does NOT fire". 
Therefore, the meta rule RCVD_IN_LRBL_W above states "if __RCVD_IN_LRBL_W fires 
and __RCVD_IN_LRBL_B does not fire". And the meta 
for RCVD_IN_LRBL_Y obviously works when both __RCVD_IN_LRBL_W and 
__RCVD_IN_LRBL_B have fired. I think it's better to use && rather 
than + in this case.

Cheers,
Jeremy



"UxBoD" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> Hi,
>
> I have written the following ruleset for our local RBL server :-
>
> header          __RCVD_IN_LRBL          
> eval:check_rbl('LRBL','dnsrbl.local.com.')
> tflags          __RCVD_IN_LRBL          net
>
> header          __RCVD_IN_LRBL_B        eval:check_rbl_sub('LRBL', 
> '127.0.0.2')
> tflags          __RCVD_IN_LRBL_B        net
>
> header          __RCVD_IN_LRBL_W        eval:check_rbl_sub('LRBL', 
> '127.0.0.3')
> tflags          __RCVD_IN_LRBL_W        net
>
> meta            RCVD_IN_LRBL_W          (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B 
> = 1)
> describe        RCVD_IN_LRBL_W          Local RBL Whitelist
> tflags          RCVD_IN_LRBL_W          net
> score           RCVD_IN_LRBL_W          -7
>
> meta            RCVD_IN_LRBL_B          (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B 
> = 1)
> describe        RCVD_IN_LRBL_B          Local RBL Blacklist
> tflags          RCVD_IN_LRBL_B          net
> score           RCVD_IN_LRBL_B          7
>
> meta            RCVD_IN_LRBL_Y          (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B 
> = 2)
> describe        RCVD_IN_LRBL_Y          Local RBL Yellowlist
> tflags          RCVD_IN_LRBL_Y          net
> score           RCVD_IN_LRBL_Y          -3
>
> But obviously it will score the whitelist and blacklist the same if the IP 
> address appears in both lists.  How can I say on the 
> meta rule that if it *only* appears in blacklist score -7, and 7 if in 
> whitelist, and if in both use the yellowlist ?
>
>
> Regards,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED]
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

Re: RBL Rules Question

Reply via email to